Broke apart the auditd rule for time changes into individual elements to better support being able to define these rules in a variety of ways. Also added a couple generic architecture tests. Note that the architecture tests have a class of miscellaneous rather than inventory. Per OVAL specification Version 5.10.1 Revision 1 an oval class of inventory "describes OVAL Definitions that check to see if a piece of software is installed on a system."
Signed-off-by: Kevin Spargur kspargur@redhat.com
Kevin Spargur (1): Broke apart auditd rules/prose for time changes, broke out architecture tests
.../src/input/checks/audit_rules_time_adjtimex.xml | 57 +++++++++ .../checks/audit_rules_time_clock_settime.xml | 57 +++++++++ .../input/checks/audit_rules_time_settimeofday.xml | 57 +++++++++ rhel6/src/input/checks/audit_rules_time_stime.xml | 41 +++++++ .../checks/audit_rules_time_watch_localtime.xml | 33 +++++ .../input/checks/system_info_architecture_x86.xml | 30 +++++ .../checks/system_info_architecture_x86_64.xml | 30 +++++ rhel6/src/input/profiles/common.xml | 8 +- rhel6/src/input/system/auditing.xml | 126 ++++++++++++++++++-- 9 files changed, 427 insertions(+), 12 deletions(-) create mode 100644 rhel6/src/input/checks/audit_rules_time_adjtimex.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_clock_settime.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_settimeofday.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_stime.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_watch_localtime.xml create mode 100644 rhel6/src/input/checks/system_info_architecture_x86.xml create mode 100644 rhel6/src/input/checks/system_info_architecture_x86_64.xml
Signed-off-by: Kevin Spargur kspargur@redhat.com --- .../src/input/checks/audit_rules_time_adjtimex.xml | 57 +++++++++ .../checks/audit_rules_time_clock_settime.xml | 57 +++++++++ .../input/checks/audit_rules_time_settimeofday.xml | 57 +++++++++ rhel6/src/input/checks/audit_rules_time_stime.xml | 41 +++++++ .../checks/audit_rules_time_watch_localtime.xml | 33 +++++ .../input/checks/system_info_architecture_x86.xml | 30 +++++ .../checks/system_info_architecture_x86_64.xml | 30 +++++ rhel6/src/input/profiles/common.xml | 8 +- rhel6/src/input/system/auditing.xml | 126 ++++++++++++++++++-- 9 files changed, 427 insertions(+), 12 deletions(-) create mode 100644 rhel6/src/input/checks/audit_rules_time_adjtimex.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_clock_settime.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_settimeofday.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_stime.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_watch_localtime.xml create mode 100644 rhel6/src/input/checks/system_info_architecture_x86.xml create mode 100644 rhel6/src/input/checks/system_info_architecture_x86_64.xml
diff --git a/rhel6/src/input/checks/audit_rules_time_adjtimex.xml b/rhel6/src/input/checks/audit_rules_time_adjtimex.xml new file mode 100644 index 0000000..7d47206 --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_time_adjtimex.xml @@ -0,0 +1,57 @@ +<def-group> + <definition class="compliance" + id="audit_rules_time_adjtimex" version="1"> + <metadata> + <title>Record Attempts to Alter Time Through Adjtimex</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14051-7" source="CCE" /> + <description>Record attempts to alter time through adjtimex. + </description> + </metadata> + <criteria comment="Test for either..." operator="OR"> + <criteria comment="both..." operator="AND"> + <extend_definition comment="32bit and ..." + definition_ref="system_info_architecture_x86" /> + <criterion comment="32bit line adjtimex and key present" + test_ref="test_audit_rules_time_adjtimex_x86" /> + </criteria> + <criteria comment="both ..." operator="AND"> + <extend_definition comment="64bit and ..." + definition_ref="system_info_architecture_x86_64" /> + <criterion comment="64bit line for adjtimex and key present" + test_ref="test_audit_rules_time_adjtimex_x86_64" /> + </criteria> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the for presence of 32bit -S adjtime and key" + id="test_audit_rules_time_adjtimex_x86" version="1"> + <ind:object object_ref="obj_audit_rules_time_adjtimex_x86" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_audit_rules_time_adjtimex_x86" + version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern + operation="pattern match">^[\s]*-a[\s]+(always,exit|exit,always)[\s]+-F[\s]+arch=b32.*-S[\s]+adjtimex[\s]+.*-k[\s]+[\S]+[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the for presence of 64bit -S adjtime and key" + id="test_audit_rules_time_adjtimex_x86_64" version="1"> + <ind:object object_ref="obj_audit_rules_time_adjtimex_x86_64" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_audit_rules_time_adjtimex_x86_64" + version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern + operation="pattern match">^[\s]*-a[\s]+(always,exit|exit,always)[\s]+-F[\s]+arch=b64.*-S[\s]+adjtimex[\s]+.*-k[\s]+[\S]+[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/audit_rules_time_clock_settime.xml b/rhel6/src/input/checks/audit_rules_time_clock_settime.xml new file mode 100644 index 0000000..58fecc8 --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_time_clock_settime.xml @@ -0,0 +1,57 @@ +<def-group> + <definition class="compliance" + id="audit_rules_time_clock_settime" version="1"> + <metadata> + <title>Record Attempts to Alter Time Through Clock_settime</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14051-7" source="CCE" /> + <description>Record attempts to alter time through clock_settime. + </description> + </metadata> + <criteria comment="Test for either..." operator="OR"> + <criteria comment="both..." operator="AND"> + <extend_definition comment="32bit and ..." + definition_ref="system_info_architecture_x86" /> + <criterion comment="32bit line clock_settime and key present" + test_ref="test_audit_rules_time_clock_settime_x86" /> + </criteria> + <criteria comment="both ..." operator="AND"> + <extend_definition comment="64bit and ..." + definition_ref="system_info_architecture_x86_64" /> + <criterion comment="64bit line for clock_settime and key present" + test_ref="test_audit_rules_time_clock_settime_x86_64" /> + </criteria> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the for presence of 32bit -S clock_settime and key" + id="test_audit_rules_time_clock_settime_x86" version="1"> + <ind:object object_ref="obj_audit_rules_time_clock_settime_x86" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_audit_rules_time_clock_settime_x86" + version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern + operation="pattern match">^[\s]*-a[\s]+(always,exit|exit,always)[\s]+-F[\s]+arch=b32.*-S[\s]+clock_settime[\s]+.*-k[\s]+[\S]+[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the for presence of 64bit -S clock_settime and key" + id="test_audit_rules_time_clock_settime_x86_64" version="1"> + <ind:object object_ref="obj_audit_rules_time_clock_settime_x86_64" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_audit_rules_time_clock_settime_x86_64" + version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern + operation="pattern match">^[\s]*-a[\s]+(always,exit|exit,always)[\s]+-F[\s]+arch=b64.*-S[\s]+clock_settime[\s]+.*-k[\s]+[\S]+[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/audit_rules_time_settimeofday.xml b/rhel6/src/input/checks/audit_rules_time_settimeofday.xml new file mode 100644 index 0000000..2ab39b1 --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_time_settimeofday.xml @@ -0,0 +1,57 @@ +<def-group> + <definition class="compliance" + id="audit_rules_time_settimeofday" version="1"> + <metadata> + <title>Record Attempts to Alter Time Through Settimeofday</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14051-7" source="CCE" /> + <description>Record attempts to alter time through settimeofday. + </description> + </metadata> + <criteria comment="Test for either..." operator="OR"> + <criteria comment="both..." operator="AND"> + <extend_definition comment="32bit and ..." + definition_ref="system_info_architecture_x86" /> + <criterion comment="32bit line settimeofday and key present" + test_ref="test_audit_rules_time_settimeofday_x86" /> + </criteria> + <criteria comment="both ..." operator="AND"> + <extend_definition comment="64bit and ..." + definition_ref="system_info_architecture_x86_64" /> + <criterion comment="64bit line for settimeofday and key present" + test_ref="test_audit_rules_time_settimeofday_x86_64" /> + </criteria> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the for presence of 32bit -S settimeofday and key" + id="test_audit_rules_time_settimeofday_x86" version="1"> + <ind:object object_ref="obj_audit_rules_time_settimeofday_x86" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_audit_rules_time_settimeofday_x86" + version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern + operation="pattern match">^[\s]*-a[\s]+(always,exit|exit,always)[\s]+-F[\s]+arch=b32.*-S[\s]+settimeofday[\s]+.*-k[\s]+[\S]+[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the for presence of 64bit -S settimeofday and key" + id="test_audit_rules_time_settimeofday_x86_64" version="1"> + <ind:object object_ref="obj_audit_rules_time_settimeofday_x86_64" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_audit_rules_time_settimeofday_x86_64" + version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern + operation="pattern match">^[\s]*-a[\s]+(always,exit|exit,always)[\s]+-F[\s]+arch=b64.*-S[\s]+settimeofday[\s]+.*-k[\s]+[\S]+[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> +</def-group> diff --git a/rhel6/src/input/checks/audit_rules_time_stime.xml b/rhel6/src/input/checks/audit_rules_time_stime.xml new file mode 100644 index 0000000..555f088 --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_time_stime.xml @@ -0,0 +1,41 @@ +<def-group> + <definition class="compliance" + id="audit_rules_time_stime" version="1"> + <metadata> + <title>Record Attempts to Alter Time Through Stime</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14051-7" source="CCE" /> + <description>Record attempts to alter time through stime, note that this + is only relevant on 32bit architecture.</description> + </metadata> + <criteria comment="Test for either..." operator="OR"> + <criteria comment="both..." operator="AND"> + <extend_definition comment="32bit and ..." + definition_ref="system_info_architecture_x86" /> + <criterion comment="32bit line stime and key present" + test_ref="test_audit_rules_time_stime_x86" /> + </criteria> + <criteria comment="both ..."> + <extend_definition comment="64bit and ..." + definition_ref="system_info_architecture_x86_64" /> + </criteria> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the for presence of 32bit -S stime and key" + id="test_audit_rules_time_stime_x86" version="1"> + <ind:object object_ref="obj_audit_rules_time_stime_x86" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_audit_rules_time_stime_x86" + version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern + operation="pattern match">^[\s]*-a[\s]+(always,exit|exit,always)[\s]+-F[\s]+arch=b32.*-S[\s]+stime[\s]+.*-k[\s]+[\S]+[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/audit_rules_time_watch_localtime.xml b/rhel6/src/input/checks/audit_rules_time_watch_localtime.xml new file mode 100644 index 0000000..77a5c1f --- /dev/null +++ b/rhel6/src/input/checks/audit_rules_time_watch_localtime.xml @@ -0,0 +1,33 @@ +<def-group> + <definition class="compliance" + id="audit_rules_time_watch_localtime" version="1"> + <metadata> + <title>Record Attempts to Alter Time Through the Localtime File</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <reference ref_id="CCE-14051-7" source="CCE" /> + <description>Record attempts to alter time through /etc/localtime + </description> + </metadata> + <criteria comment="Test for localtime file being watched" > + <criterion comment="watch localtime file" + test_ref="test_audit_rules_time_watch_localtime" /> + </criteria> + </definition> + <ind:textfilecontent54_test check="all" + check_existence="at_least_one_exists" + comment="Tests the for presence etc localtime file in the rules file" + id="test_audit_rules_time_watch_localtime" version="1"> + <ind:object object_ref="obj_audit_rules_time_watch_localtime" /> + </ind:textfilecontent54_test> + <ind:textfilecontent54_object id="obj_audit_rules_time_watch_localtime" + version="1"> + ind:path/etc/audit</ind:path> + ind:filenameaudit.rules</ind:filename> + <ind:pattern + operation="pattern match">^[\s]*-w[\s]+/etc/localtime[\s]+-p[\s]+\b([rx]*w[rx]*a[rx]*|[rx]*a[rx]*w[rx]*)\b.*-k[\s]+[\S]+[\s]*$</ind:pattern> + <ind:instance datatype="int">1</ind:instance> + </ind:textfilecontent54_object> + +</def-group> diff --git a/rhel6/src/input/checks/system_info_architecture_x86.xml b/rhel6/src/input/checks/system_info_architecture_x86.xml new file mode 100644 index 0000000..894e499 --- /dev/null +++ b/rhel6/src/input/checks/system_info_architecture_x86.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="miscellaneous" + id="system_info_architecture_x86" version="1"> +<!-- Note that this does not meet requirements for class=inventory as that +only tests for patches per 5.10.1 Revision 1 --> + <metadata> + <title>Test for x86 Architecture</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>Generic test for x86 architecture to be used by other tests</description> + </metadata> + <criteria> + <criterion comment="Generic test for x86 architecture" + test_ref="test_system_info_architecture_x86" /> + </criteria> + </definition> + <unix:uname_test check="all" + comment="32 bit architecture" + id="test_system_info_architecture_x86" + version="1"> + <unix:object object_ref="object_system_info_architecture_x86" /> + <unix:state state_ref="state_system_info_architecture_x86" /> + </unix:uname_test> + <unix:uname_object comment="32 bit architecture" id="object_system_info_architecture_x86" version="1"> + </unix:uname_object> + <unix:uname_state comment="32 bit architecture" id="state_system_info_architecture_x86" version="1"> + <unix:processor_type operation="equals">x86</unix:processor_type> + </unix:uname_state> +</def-group> diff --git a/rhel6/src/input/checks/system_info_architecture_x86_64.xml b/rhel6/src/input/checks/system_info_architecture_x86_64.xml new file mode 100644 index 0000000..0019a49 --- /dev/null +++ b/rhel6/src/input/checks/system_info_architecture_x86_64.xml @@ -0,0 +1,30 @@ +<def-group> + <definition class="miscellaneous" + id="system_info_architecture_x86_64" version="1"> +<!-- Note that this does not meet requirements for class=inventory as that + only tests for patches per 5.10.1 Revision 1 --> + <metadata> + <title>Test for x86_64 Architecture</title> + <affected family="unix"> + <platform>Red Hat Enterprise Linux 6</platform> + </affected> + <description>Generic test for x86_64 architecture to be used by other tests</description> + </metadata> + <criteria> + <criterion comment="Generic test for x86_64 architecture" + test_ref="test_system_info_architecture_x86_64" /> + </criteria> + </definition> + <unix:uname_test check="all" + comment="64 bit architecture" + id="test_system_info_architecture_x86_64" + version="1"> + <unix:object object_ref="object_system_info_architecture_x86_64" /> + <unix:state state_ref="state_system_info_architecture_x86_64" /> + </unix:uname_test> + <unix:uname_object comment="64 bit architecture" id="object_system_info_architecture_x86_64" version="1"> + </unix:uname_object> + <unix:uname_state comment="64 bit architecture" id="state_system_info_architecture_x86_64" version="1"> + <unix:processor_type operation="equals">x86_64</unix:processor_type> + </unix:uname_state> +</def-group> diff --git a/rhel6/src/input/profiles/common.xml b/rhel6/src/input/profiles/common.xml index cb6024f..1b188da 100644 --- a/rhel6/src/input/profiles/common.xml +++ b/rhel6/src/input/profiles/common.xml @@ -88,7 +88,13 @@ <select idref="configure_auditd_max_log_file_action" selected="true"/> <select idref="configure_auditd_admin_space_left_action" selected="true"/>
-<select idref="audit_time_rules" selected="true"/> +<!-- <select idref="audit_time_rules" selected="true"/> --> +<select idref="audit_rules_time_adjtimex" selected="true"/> +<select idref="audit_rules_time_settimeofday" selected="true"/> +<select idref="audit_rules_time_stime" selected="true"/> +<select idref="audit_rules_time_clock_settime" selected="true"/> +<select idref="audit_rules_time_watch_localtime" selected="true"/> + <select idref="audit_account_changes" selected="true"/> <select idref="audit_network_modifications" selected="true"/> <select idref="audit_mac_changes" selected="true"/> diff --git a/rhel6/src/input/system/auditing.xml b/rhel6/src/input/system/auditing.xml index 62e0f24..746e1c9 100644 --- a/rhel6/src/input/system/auditing.xml +++ b/rhel6/src/input/system/auditing.xml @@ -354,25 +354,129 @@ editing as needed, the new rules can be activated as follows: </description> <ref disa="171,172,1115,1454,1487,1571,1589,880" />
-<Rule id="audit_time_rules"> +<Group id="audit_time_rules"> <title>Records Events that Modify Date and Time Information</title> +<description>Arbitrary changes to the system time can be used to obfuscate +nefarious activites in log files as well as to confuse network services that +are highly dependent upon an accurate system time. All changes to the system +time should be audited.</description> + +<Rule id="audit_rules_time_adjtimex"> +<title>Record attempts to alter time through adjtimex</title> +<description>On a 32-bit system, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre># audit_time_rules +-a always,exit -F arch=b32 -S adjtimex -k audit_time_rules</pre> +On a 64-bit system, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre># audit_time_rules +-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules</pre> +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +<pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime +-k audit_time_rules</pre> +</description> +<rationale>Arbitrary changes to the system time can be used to obfuscate +nefarious activites in log files as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited.</rationale> +<ident cce="14051-7" /> +<oval id="audit_rules_time_adjtimex" /> +<ref nist="AU-2(a)" /> +<ref disa="1487,169" /> +</Rule> + +<Rule id="audit_rules_time_settimeofday"> +<title>Record attempts to alter time through settimeofday</title> +<description>On a 32-bit system, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre># audit_time_rules +-a always,exit -F arch=b32 -S settimeofday -k audit_time_rules</pre> +On a 64-bit system, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre># audit_time_rules +-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules</pre> +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +<pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime +-k audit_time_rules</pre> +</description> +<rationale>Arbitrary changes to the system time can be used to obfuscate +nefarious activites in log files as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited.</rationale> +<ident cce="14051-7" /> +<oval id="audit_rules_time_settimeofday" /> +<ref nist="AU-2(a)" /> +<ref disa="1487,169" /> +</Rule> + +<Rule id="audit_rules_time_stime"> +<title>Record attempts to alter time through stime</title> <description>On a 32-bit system, add the following to <tt>/etc/audit/audit.rules</tt>: <pre># audit_time_rules --a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -S clock_settime -k audit_time_rules --w /etc/localtime -p wa -k audit_time_rules</pre> -On a 64-bit system, add the following to <tt>/etc/audit/audit.rules</tt> (note the lack -of <tt>-S stime</tt>, which is not relevant for a 64-bit installation): +-a always,exit -F arch=b32 -S stime -k audit_time_rules</pre> +On a 64-bit system, the "-S time" is not necessary. The -k option allows for +the specification of a key in string form that can be used for better +reporting capability through ausearch and aureport. Multiple system calls +can be defined on the same line to save space if desired, but is not required. +See an example of multiple combined syscalls: +<pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime +-k audit_time_rules</pre> +</description> +<rationale>Arbitrary changes to the system time can be used to obfuscate +nefarious activites in log files as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited.</rationale> +<ident cce="14051-7" /> +<oval id="audit_rules_time_stime" /> +<ref nist="AU-2(a)" /> +<ref disa="1487,169" /> +</Rule> + +<Rule id="audit_rules_time_clock_settime"> +<title>Record attempts to alter time through clock_settime</title> +<description>On a 32-bit system, add the following to <tt>/etc/audit/audit.rules</tt>: <pre># audit_time_rules --a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime -k audit_time_rules --w /etc/localtime -p wa -k audit_time_rules</pre> +-a always,exit -F arch=b32 -S clock_settime -k audit_time_rules</pre> +On a 64-bit system, add the following to <tt>/etc/audit/audit.rules</tt>: +<pre># audit_time_rules +-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules</pre> +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport. +Multiple system calls can be defined on the same line to save space if +desired, but is not required. See an example of multiple combined syscalls: +<pre>-a always,exit -F arch=b64 -S adjtimex -S settimeofday -S clock_settime +-k audit_time_rules</pre> +</description> +<rationale>Arbitrary changes to the system time can be used to obfuscate +nefarious activites in log files as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited.</rationale> +<ident cce="14051-7" /> +<oval id="audit_rules_time_clock_settime" /> +<ref nist="AU-2(a)" /> +<ref disa="1487,169" /> +</Rule> + +<Rule id="audit_rules_time_watch_localtime"> +<title>Record attempts to alter the localtime file</title> +<description>Add the following to <tt>/etc/audit/audit.rules</tt>: +<pre>-w /etc/localtime -p wa -k audit_time_rules</pre> +The -k option allows for the specification of a key in string form that can +be used for better reporting capability through ausearch and aureport and +should always be used. </description> -<rationale>Arbitrary changes to the system time can be used to obfuscate nefarious -activites in log files as well as to confuse network services that are highly dependent -upon an accurate system time (such as sshd). All changes to the system time should be audited.</rationale> +<rationale>Arbitrary changes to the system time can be used to obfuscate +nefarious activites in log files as well as to confuse network services that +are highly dependent upon an accurate system time (such as sshd). All changes +to the system time should be audited.</rationale> <ident cce="14051-7" /> -<oval id="audit_rules_record_timechange" /> +<oval id="audit_rules_time_watch_localtime" /> <ref nist="AU-2(a)" /> +<ref disa="1487,169" /> </Rule> +</Group><!--End <Group id="audit_time_rules"> -->
<Rule id="audit_account_changes"> <title>Record Events that Modify User/Group Information</title>
Ah, yes, after thinking about it for a bit, this makes sense.
I had some concerns about going overboard on granularity, but as you can see in the RHEL 5 manual STIG http://people.redhat.com/swells/scap-security-guide-0.1/output/rhel5-table-s...
...that one of our future project consumers also felt that this was the right level of granularity.
Ack / Thanks!
On 06/18/2012 10:28 AM, Kevin Spargur wrote:
Broke apart the auditd rule for time changes into individual elements to better support being able to define these rules in a variety of ways. Also added a couple generic architecture tests. Note that the architecture tests have a class of miscellaneous rather than inventory. Per OVAL specification Version 5.10.1 Revision 1 an oval class of inventory "describes OVAL Definitions that check to see if a piece of software is installed on a system."
Signed-off-by: Kevin Spargur kspargur@redhat.com
Kevin Spargur (1): Broke apart auditd rules/prose for time changes, broke out architecture tests
.../src/input/checks/audit_rules_time_adjtimex.xml | 57 +++++++++ .../checks/audit_rules_time_clock_settime.xml | 57 +++++++++ .../input/checks/audit_rules_time_settimeofday.xml | 57 +++++++++ rhel6/src/input/checks/audit_rules_time_stime.xml | 41 +++++++ .../checks/audit_rules_time_watch_localtime.xml | 33 +++++ .../input/checks/system_info_architecture_x86.xml | 30 +++++ .../checks/system_info_architecture_x86_64.xml | 30 +++++ rhel6/src/input/profiles/common.xml | 8 +- rhel6/src/input/system/auditing.xml | 126 ++++++++++++++++++-- 9 files changed, 427 insertions(+), 12 deletions(-) create mode 100644 rhel6/src/input/checks/audit_rules_time_adjtimex.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_clock_settime.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_settimeofday.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_stime.xml create mode 100644 rhel6/src/input/checks/audit_rules_time_watch_localtime.xml create mode 100644 rhel6/src/input/checks/system_info_architecture_x86.xml create mode 100644 rhel6/src/input/checks/system_info_architecture_x86_64.xml
scap-security-guide@lists.fedorahosted.org
-
Jeffrey Blank -
Kevin Spargur